 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  [ a r t i c l e ]                                         [ a u t h o r ]
  The Gentle Art of Trojan Horsing w/ Window                            EXo
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  i. INTRO

     It's  very  hard  for  me  to write an intro to this article since we've
 published  so  many  articles  about  trojans. Before you decide not to read
 Phreedom  magazine anymore I sould assure you that there will be no more big
 Trojan  horsing articles in the magazine although this is one of my favorite
 subjects.  In this article I'll try to combine themajor points in the Trojan
 horsing art.
     I  don't  say  this  article is going to be complete - if anyone has any
 good  ideas  feel free to send them. I considered the idea of combining this
 with  all  the  Trojan  horse  articles  from  the past issues to give you a
 complete  tutorial  on  Trojan  horsing  but  decided not to. Maybe some day
 Solar  Eclipse  and  I  will  write  a  complete trojans article - including
 everything  from  fake  trojans  to  VxD coding [2][5] and advanced sniffing
 techniques.
     (NOTE:  everything  concerned  to  CC  phishing  you'll find in the Star
 Gruhtar's article in this issue)
     I  think  that was good for an intro:) And before I start with some real
 info let me tell you that coding trojans in not as hard as many ppl using BO
 or NetBus (which are lame called 'remote administration toolkits') think . I
 assume  you know you have to have some Windows coding expirience, some helps
 [10],  a  compiler [2] and good will to creating something by yourself. Some
 time  ago  we  received  a  mail  from  a  nervous  guy  who  said  that the
 definition  of  a  function from an article in PHREEDOM magazine was written
 wrong.  But  actually he didn't bother reading a couple of rows above to see
 what was the explanation. We can't help that kind of assholes.
     So - let's get working !!!

     ii. What is a Trojan and what's it used for
     A  Trojan,  in  general, is a background process doing something without
 user's  knowledge  and  most  of all - without your will. Having a Trojan on
 your  PC  is  a result only of your negligence. If there is a Trojan on your
 system  it's  only  your fault - no one else to blame for.
     This  was  the  most  abstract explanation for a Trojan I could say. The
 rest  is  a  huge  amount of actions which the trojan can perform, different
 ways  for  it  to be instal led, etc.. In this article I'll write only about
 Windows  trojans. If you want to know something about Linux trojans  -  read
 Iron  Code's  article also. And now here are some of the things a Trojan can
 do for you:
     *  Trojans  for  acquiring  accounts  -  the most famous trojans used to
 acquire different kinds of accounts (Dial-UP, FTP, telnet, mail, etc). After
 they  acquire  some  kind  of account they send it one way or another to the
 owner of the Trojan and this way he/she acquires the info he/she needs. Here
 in Bulgaria ppl use mostly DialUP Trojans. This type of Trojan can also have
 built-in sniffer or keyboard capturing system.
     *  Flood trojans - they became popular after the multiple attacks of the
 BTC (Bulgarian Telecomunication Company = assholes) servers. The idea is the
 Trojan to generate traffic to the server and if the Trojan is spread well it
 could  possibly  flood  the  server.  Interesting  only if you're some crazy
 anarchy guy. Defense against this kind of Trojan is not familiar yet but the
 method of the Trojan does not assume any.
     *  Keylogger - Trojans, which log everything, entered from the keyboard.
 Used  mainly  for getting CC info - in this way they do not log everything -
 only  the  useful info. Easy to code and can be used pretty successfully for
 spying for example. * Blow-up trojans - these type of trojans that aim to do
 as big harm as possible on the machine. Used once to harm some BBS systems -
 when  they were using DOS and were very easy for some anarchy stuff:). There
 is  even  a  Trojan  that  is  a  .bat file that consists of only 1 command:
 'format c:'
     *  Remote  administration tools - these are some programs which say that
 are  designed  to  remote administrate your PC = BULLSHIT! These are trojans
 for  lame  gyuz  ! Most of them just have some pseudo-command interpreter or
 gate to the command.com
     Of  course  these  are  just  some  examples. There are some trojans you
 wouldn't  have  thought  of.  Let  me  give  you  an example: at informatics
 competition  a  guy  did not give the jury the solution to the problem but a
 Trojan  which  searched  the  jury's  HDD  for the answer of the problem and
 printed it. He reached the TOP 10 of the competition, though he never though
 of knowing the right algorithm for the problem.

        iii. Sending the Trojan
     The  Trojan  works  without the knowledge of the victim. This means that
 the victim should be manipulated to run the Trojan without even noticing it.
 In  issue#17  you  can  find  the  most common ways to spread the trojan. In
 issue#19  you  can  find most of the ways to get your Trojan on victims' PCs
 (via  eMail,  IRC,  ICQ and etc.). A nice way, never mentioned before, is to
 use  the auto-runned-CD. Many systems have their auto-run options ON and you
 can  use  it  wise,  even if the guy (your victim) thinks of himself as of a
 genius and acts carefully in the net.
     One  of  my  favorites  is to send a file with fucked-up name via ICQ. A
 file,  that  looks  like:  abc.jpg        .exe (more than 200 spaces between
 ".exe"  and  the  fake  name)  will look like abc.jpg in the ICQ "Send File"
 dialog  box.   And if the guy is stupid enough to press the "Open" button as
 soon  as  he  gets  the  file - here you have another fishie-fish. Moreover,
 files  similar to this look like "abc.jpg ..." in Windows Explorer and there
 is a big possibility the guy to take thi s as a normal .jpg picture.
     Other  people  tend  to  get  any  files  that they get via DCC. On-join
 scripts do not work as well as in the past, but some gyuz still use this way
 of phishing. Anyway, I think this is really stupid.
     Another  example  is  to  use the bug in .zip file, which enables you to
 extract  files in arbitrary directory on the HDD that the .zip resides. This
 method was described in details in the previous PHM issue.
     Nevertheless you must plan your actions as accurate as you can. You have
 to  use your social engineering skills. You can have a perfect Trojan but if
 you can't lie for you won't get any use of it. But no one can teach you this
 - it comes natural.

     iv. Starting
     After  the Trojan is being installed there are couple of ways to make it
 start at every start of the Windows:
     * Using system.ini - maybe few people kwon the 'run=' and 'load=' fields
 in the [boot] section of system.ini which are there since Win 3.11 and allow
 loading  a  program when windows starts. Actually once this was the only way
 to  start a Trojan wit hout using the Start-Up folder. This one still works.
 If  you change the "shell=" command so instead of explorer.exe it loads your
 own  shell  which  is  the  Trojan  you  can  easily  start  anything before
 explorer.exe loads.
     *  Using  the  registry - the most standard way to load software used by
 most  of  the  shareware  programs. Unfortunately very easy to detect if you
 don't   mask   the   .exe   with  some  nice  name:)  Look  at  the  section
 Software\Microsoft\Windows\CurrentVersion\Run  of  the HKEY_CURRENT_USER and
 you'll get what I'm talking about.
     *  Winstart.bat - that's the file used when software is being installed.
 It  replaces  any system files used during the installation of the software.
 Useful for it's loaded before krnl386.exe and before any .dll, .drv and .vxd
 files boot.
     *  Using  hacked .exe or .dll - this assumes that you know the PE and LE
 structures  [14]  of  the executable files and the dynamic libraries used by
 Windows.  So that you only have to rearrange the program segments and change
 the  startup  place  with  your own code, attached to the .dll or .exe file.
 This  code  gets  the  original  code  of the file. This method is logically
 approved but I haven't seen it done.
     You  may  use  a  fake  driver to load your Trojan. I've seen one or two
 Trojans  using  that  method [3]. You should also have in mind the fact that
 when  a  system  is  running  you  cannot  access the .dll files due to some
 sharing  restrictions.  In  this  case  you have to find an alternate way to
 install the Trojan [for example winstart.bat]
     * Using fake .dll - you code a .dll file with a name such as some system
 .dll file and put a code in the initialization procedure to load the trojan.
 Then  the  original .dll is being started. Make sure to take all the exports
 and place them in your .dll file so it would look like the original one.
     It's  a  good  idea  to  combine some of these methods so if one of them
 screws up the other will continue to load your Trojan.
     You  should compress your Trojan and try to make it smaller in size - no
 one  likes huge mail attachments and no one likes downloading them. In order
 to  achieve  this  you  can  use  some program such as Petite, although this
 compressor  [6][7][8]  screws  up  if  the  .exe  has  unusual  structure or
 overlays.  Using  some  anti-debugging techniques is preferably since if the
 Trojan  is being caught it will sure be disassembled [15] in order to figure
 out what it does.

     v. Sniffing data

     Well  in  order  to get something from the victim's PC the trojan should
 capture the info needed. There are some basic methods here too:
     *  Windows  hooking  -  the standard windows API allows you to use hooks
 which  allow us to trace defined events or to be more precise - to trace the
 messages  sent  to the applications. Using them we can get into a window and
 get  the  info  we need, having the guarantee that it's the most recent info
 entered.  The  function  'SetWindowsHookEx'  is the one we use. You may find
 info about that in Microsoft's API Help or/and MSDN (I myself prefer MSDN).
     The  idea is to create a function which, after the hook is being set, to
 be  called  when  defined  events  appear. Using the hooks you can get every
 event  [even  the  movement  of  the mouse]. Using hooks is a very good idea
 since  you don't have to make  changes into the system. For example: you can
 trace  the appearing of the Connect-To dialogue box and after the user click
 'Connect'  to  get the contents of the fields. You can use the same trick to
 trace  the  SecureCRT  or  a  standard telnet session when a ne w account is
 being created and grab the login and password - a thing that can not be done
 any  other  way,  having in mind that that the connection might be encrypted
 also.  The  negative  side  of  this  method is that it can be captured with
 programs  such  as Dr .Watson, which give advanced info about the system and
 the loaded drivers/processes. Refer to Issue#17 for more examples.
     *  Keyboard  capturing  - very useful - has practically unlimited usage.
 You  can  use  it  when someone authenticates manually or to capture all the
 forms  submitted  through  a  browser.  The  second  allows us to capture CC
 accounts - for this one we trace all the keyboard traffic and when CC number
 is  detected  we  should  log  1kb  before  and  1kb after the number. These
 techniques  are  described  in StarGruhtar's article. Just to warn you about
 the  Shift  and  CapsLock  keys  -  they  define  capital  letters  or small
 letters.
     * Sniffing - this is the main technique used for Linux hacking. The idea
 is  to  capture  all the TCP/IP traffic, filter the connections and get what
 you  need.  In order to do this you have to write a VxD [4][13] - info about
 writing  VxD's  you can find in issue#19. If you don't know what sniffing is
 you  MUST  read  kay's article in this issue. At the moment Solar Eclipse is
 working  on  libpcap implementation for WinNT which should allow you to code
 snuffers  for windows. No one can ever tell when or will he ever finish this
 project.
     *  Fooling the enemy - this is a part of the social engineering methods,
 which  is  the  lamest  way  to do a Trojan. All you have to do is a program
 which  pretends  to  do  something related to the authorization which you're
 interested  in  and  if the program is good the you'll get what you want and
 you'll be amazed how many people will use it. One of the oldest BG trojans I
 know  used  this  method  -  pretended to be a program, which will check the
 users online time.

     vi. Keeping and sending the saved information

     Of  course  the  info  extracted by the Trojan have to be kept somewhere
 until  you  receive it via e-mail [12] or any other way. No matter where you
 keep  your  stolen  data  [registry,  a file on the HDD, etc] it's better to
 encrypt  it  so that anyone can ever notice it. When sending the e-mail it's
 obligatory  to  encrypt the data with the best method possible (PGP [9] is a
 good  idea even a little bit harder to be linked).
     You  can  use an encryption table depending on the current configuration
 of  the  system  (that grants you different encryption tables for every PC).
 Then  you  receive  not encrypted only the data, used os a base of the table
 and when you receive your mail you have the guarantee that only you know how
 to  decrypt  it.
     Sending  the  data  itself can be also done different ways, depending on
 the  situation,  but  usually we use sending the results by e-mail. A little
 bit  harder  is  to submit data via ICQ. This is going to be less suspicious
 because  even  if you do not hide your connection to the server t here won't
 be  anything strange in the netstat - there will be just a connection to the
 server  of  Mirabillis.  Since  ICQ  still  supports  older  versions of the
 protocol  (2,3,4)[1] you can find info about it and sending a message is not
 that  hard  after  all.  I've  seen  an  ICQ  based  Trojan  which  uses the
 client-server  method  and  does thing which the authors of Bac kOrifice can
 only  dream  of.  Of  course  this  Trojan  have never been presented to the
 "lamers" public and is still one of the best I've ever seen.
     It  strange that many people find hard to deal with the code for sending
 e-mail.  But despite this I recommend you not to take libraries, but to code
 them  yourself. I've managed to code the whole sendmail procedure in 20 rows
 C  source,  which  had wa iting for responses and had error handling. And it
 was not that hard !

     vii. Hard moments and good ideas
     Hard  moments  when  coding  a Trojan are often seen. Sometimes they can
 slow  you with a couple of days. There are some things you should not do and
 you should be aware of.
     *  WriteFile fucks up the hooks - when once I was making a keylogger for
 NT  I needed much time to realize that the problem is not in the idea of the
 logger  but  that  I  was  trying  to write in a file directly from the hook
 procedure. This can be defeated  easily with times which in short periods of
 time  to  check  some  buffer space (for example - a key in the registry) if
 there  is new data to be added to the file. The weird thing is that this bug
 cannot be seen in Win9x.
     * When using the system.ini method if we've hooked before the systray is
 being  loaded  you  can forget about this method working. Another mysterious
 bug  that  took me almost a week to figure out why the hook won't work after
 reboot,  having  in mind that the  process is still running. The best idea I
 come  up  with now is to set a timer which rests for 20 sec and the executes
 the Trojan itself (e.g hooking, etc)
     *  It's easy for one to detect your horse if you didn't manage to change
 of  your  files  the  date after the installing of the Trojan. No matter how
 lame  a  use  can  be  -  it's  enough to sort the files by date and time of
 creation. When they see the Trojan with to  be one of the recently installed
 files they may get suspicious.
     * Hooks won't work if they're in a different DLL file - despite the fact
 that  in the Microsoft Help for 'SetWindowsHookEx' you'll think that you can
 place the thread and the hook in a same file. Actually, the hook is going to
 work  only  for  the  local process' events. That's why you have to put the
 hooks in DLL files and take them using the standard Windows API.
     *  Once your Trojan is detected it can be easy caught with the AVP's. If
 the  AVP's  can  detect  your  Trojan  then  all the PC's having this Trojan
 started  will  be  useless  to you. Therefore you can use an algorithm which
 changes  the  name  of  the  program  .  For example: it can search for some
 executable files in the windows or system directory and rename itself with a
 similar   name   -   from   'progman.exe'   your   trojan  can  name  itself
 'progman32.exe'.  If  you  can  make  it change its size to fit the original
 file' s size way you will fool the AVP's easily.
     *  You  should  consider  a  variety of ways to recover the Trojan so if
 someone  finds  how  the trojan is being installed and deletes it the trojan
 will be able reinstall itself.
     * Live update - this can sound weird when talking about trojans but just
 think  of  the  opportunity  to  send  to  all  the victim's PC's the newest
 versions  of  your  trojan. And doing this is not hard at all. Here are some
 methods:
     1) Make a Web site, index it in AltaVista and your Trojan just looks for
 a  string.  When  it  finds the string performs a version check gets the new
 version and everything is done. Downloading the new version can be done with
 the function FTPGetFileEx () from wininet.dll;
     2) You can place a daemon on a server that listens on predefined port or
 you can run an IRC bot that sends the update;
     3)  You  can use a POP server to pop some e-mail and the messages should
 not  be  deleted.  The  Trojan  checks  for the latest version of itself and
 downloads it without deleting the e-mail;
     *  Using  Resource  Workshop you can change the icon of the trojan so it
 would  look  like  a  self-extracting  file  or  like a setup file from Wise
 Solutions. Of course you can do this way earlier - when compiling. It's good
 to change the version info also so it would match the icon.

     viii. Conclusion

     About  2 months ago me and Solar Eclipse started working on IE4 in order
 to  find  where  is  a  form  being  edited  before being sent over a secure
 connection. We wanted to find this place because you cannot just that simply
 get  the fields info in IE4 since they're OwnerDraw. We worked really hard -
 12  hours of debugging. The idea was to find all the referrers of the string
 functions  (strlwr,  strstr, etc) in kernel32.dll and see when the data from
 the  format  is  going  to  pass  through.  And  those strings are refe reed
 thousands of times. We tried to write a script filtering 'em but this didn't
 help  a  lot. The first day the result was almost nothing done. But the next
 day  things  worked  out and Solar succeeded in isolating the offset we were
 looking  for - the one t hat matches the exact place where, if our source is
 being  put  in,  we  can  get  the  data  we  need.
     Another problem was the difference in the .DLLs for each versions of IE.
 The  file where this action takes place (mshtml.dll) is different for almost
 every  IE  version. We actually didn't code the Trojan practically, although
 if  we  did it this would be a c ool Trojan could capture everything. On the
 other  hand  for  the same time (spent debugging) we would have coded a very
 decent  keylogger  which  would  get  only  the  requests  which are in some
 interest  for  us. [11]
     Therefore  -  before  beginning to code something thi nk it over and ask
 yourself  -  which is the most suitable way for doing this. Even some of the
 bad ideas can become a very good Trojan if done properly!

ix. Links

     [1].  http://pages.poly.edu/~slishc01/cs/icq.html  -  Description of the
 ICQ protocol version 2.

     [2]. http://www.cs.princeton.edu/software/lcc/ - LCC Compiler

     [3].  http://www.microsoft.com/hwdev/ddk/install98ddk.htm  -  Windows 98
 Driver Development Kit Download

     [4].  http://www.geocities.com/Area51/Vault/6702/vxd.html - A page about
 VxD coding with examples.

     [5].    http://www.bytamin-c.com/VisualAssembler/index.htm    -   Visual
 Assembler

     [6]. http://www.icl.ndirect.co.uk/petite/ - Petite File Compressor

     [7].   http://www.jps.net/kyunghi/w32comp.htm   -   Windows   Executable
 Compressors

     [8].   http://www.suddendischarge.com/Compressors.html   -   All   types
 Compressors

     [9].  http://www.pgpi.org/products/sdk/c++/  - PGP Programming Libraries
 C/C++

     [10]. http://www.crackstore.com/tools.htm - collection of cool programs.

     [11]. http://ourworld.compuserve.com/homepages/w_baudisch/InsideIE.htm -
 Undocumented Functions Inside Internet Explorer 4

     [12]. http://rfc.nat.bg/documents/rfc822.txt - SMTP Protocol.

     [13]. http://www.xs4all.nl/~smit - Assembler Language Resources

     [14].   http://www.unibest.ru/~ig/docs.html   -  PE/LE/LX/NE  Executable
 Formats.

     [15]. http://www.csee.uq.edu.au/~csmweb/dcc.html#thesis - The PhD Thesis
 (decompilation related);

                                                                          EXo
                                         Copyright (C) 1999 Phreedom Magazine
                                       www.phreedom.org | phreedom.orbitel.bg
                                    staff@phreedom.org :: mboard.phreedom.org